Shadow-IT, it's forbidden to forbid

If you haven’t figured out what BYOD means, you probably have not been reading the digital press lately. The term “bring your own device” is at the center of many conversations. It’s the latest incarnation of the consumerization of IT. You know these new gadgets are so simple to use, why has IT never been able to come up with something that simple? That’s actually a good question. But simplicity has not been at the heart of IT’s criteria to create or acquire an application. It’s always been security, richness of functionality, customization capabilities, management, financial strength of the supplier etc.

So, when redid what they had done in the 90’s with Microsoft Excel, bypassing IT to get what they wanted, the temptation from IT has been to block them from doing it. And there are actually good reasons why you may want to take a hard look at “shadow-IT”, as it may fundamentally put you at risk of breaching compliance.

But blocking service access is probably not a wise thing to do. As Chris Anderson, chief editor of Wired Magazine, told the audience at a keynote at HP Discover, “if IT wants to tackle shadow-IT, IT better be competitive”, and I would add “and popular”. Blocking services does not really help when you become popular. So, what should we do?

In my mind, IT’s strategy should be centered around two things, educate the users on the implications of “shadow-IT” and improvement of IT’s own services. Let me describe those two in a little more details.

Education

Talking to business users, I’m often flabbergasted how little they know of the potential risks encountered by putting information in the public cloud. Things happened over the years. Many of us received several e-mails from loyalty programs when a company, called Epsilon, got a security breach. I did not suffer any damage, but many others did. Interestingly enough, there is NO legal obligation today for companies to make security breaches public. The EU wants to change that, but it’s not a done deal yet.

How many of your users are aware of this? How many know about Data Protection Acts and other data related negotiation? Do they have that in mind when sharing information using DropBox, Skydrive, LinkedIn, Facebook or another tool.

Education is of the essence, not to scare them, but to point out the importance of being careful when using open internet services. The second element to take into account is BYOD. App stores have hundreds of thousands of applications. What are those actually doing? Who is making sure none of them collects information on behalf of hackers or criminals. That is doomed to happen if not yet.

IT consumerization pushes us to use the same device to play “Angry Birds” and access our e-mail and enterprise systems. We want full control over that device, so don’t limit the use. But make people aware of the associated risks.

In that case, what services should I propose them? Here is where the other aspect comes in.

Service Improvement

Propose your users to subscribe to your services, but make sure they are competitive. So, there is homework to do. Where should you start? Typically the first thing users look for is tools to help them in their day to day work, make it easier for them to share this large file, giving them the opportunity to have a video conference with their colleagues from other parts of the world etc. So, why don’t we make sure we provide them an outstanding user experience, so they use IT’s services rather than looking outside.

But this implies we have a good understanding of what they are looking for. Here is where governance comes in. Work with representatives of the business to understand what they are looking for.

And then communicate about the availability of the service, ensure all members of the organization are fully aware of the fact this is now offered internally. Listen, deliver, and communicate.

If you are interested in reading the original blog post and understand why I choose the title I choose, read the CloudSource blog entry.

The very nature of ignoring or forbidding something that inevitably is going to happen (like BYOD in converged cloud environment) is a security vulnerability. And, as noted above, once a policy is set and services made available, they need to be communicated. Just having a solution does not a successful solution make. Needs to be used, implemented. As Verstraete notes above and on Cloudsource blog, you need to "listen, deliver, communicate".

Christian, recently there're also quite a few debates going on about shadow IT, the conclusion is consistent with what you discover here: IT, take initiate, to manage them, out of shadow, back to sunshine.

It may also means IT need speed up, running IT as busienss, to become a real service organizaton, provide solution menu for customers to select, it also means centralized governance, and vendor relationship management, still, CIO need fellow executive peers support to handle it seamlessly. thanks.

Absolutely. I believe IT needs to take a pragmatic view at their operations, simplify what they do so they have more time/budget/resources to respond to the true needs of their customers. That implies listening, governance, delivery, communication.

Recently a CIO from a major bank appeared on a conference panel discussion. The talk turned to IT complexity, and the moderator asked the panelists what hardware they supported in their data centers.
The bank CIO thought for a moment, leaned forward and then said slowly, “Everything that’s ever been invented.”
The remark got a laugh, but it also revealed a truth many CIOs can relate to. Years of technology proliferation have resulted in a legacy maintenance problem that handcuffs IT organizations and prevents them from contributing to the business at a time when flexible IT infrastructure has...